Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement detectors.EndpointCustomizer on datadogtoken #2510

Merged
merged 1 commit into from
Feb 28, 2024

Conversation

simonwhitaker
Copy link
Contributor

@simonwhitaker simonwhitaker commented Feb 25, 2024

Description

As reported in #2265, Datadog API and app key verification only works if the tokens were generated in the main Datadog region (US East 1, aka api.datadoghq.com). This PR makes it possible to override the Datadog API endpoint at runtime.

Please note: when specifying a custom verifier host on the command line, trufflehog checks both the custom host and the default host. (See example below of when I ran this.) I wasn't expecting this, but it does appear to be the expected behaviour of detectors.EndpointCustomizer when using detectors.EndpointSetter. Please let me know if I've misunderstood anything here. (Very possible.)

Closes #2265

Typical usage

By default, validate against https://api.datadoghq.com only:

trufflehog filesystem .

Validate against a different endpoint:

trufflehog filesystem . --verifier \
    datadogToken=https://api.datadoghq.eu

Validate against multiple endpoints:

trufflehog filesystem . --verifier \
    datadogToken=https://api.datadoghq.eu,https://api.us3.datadoghq.com/

Sample output

I registered API and app tokens on both https://api.datadoghq.com/ and https://api.datadoghq.eu. (I gave both app tokens access to the user_access_read scope, since this is needed by the verifier; removing this dependency would be nice to do, but belongs in a separate PR.)

With the default verifier host:

$ go run . filesystem ~/misc/trufflehog-datadog-truffles/
🐷🔑🐷  TruffleHog. Unearth your secrets. 🐷🔑🐷

2024-02-25T20:18:01Z	info-0	trufflehog	running source	{"source_manager_worker_id": "mvt4B", "with_units": true}
Found unverified result 🐷🔑❓
Detector Type: DatadogToken
Decoder Type: PLAIN
Raw result: <REDACTED>
Type: APIKeyOnly
File: /Users/simon/misc/trufflehog-datadog-truffles/datadog-eu-api-only.py

Found unverified result 🐷🔑❓
Detector Type: DatadogToken
Decoder Type: PLAIN
Raw result: <REDACTED>
Type: Application+APIKey
File: /Users/simon/misc/trufflehog-datadog-truffles/datadog-eu.py
Line: 1

✅ Found verified result 🐷🔑
Detector Type: DatadogToken
Decoder Type: PLAIN
Raw result: <REDACTED>
Type: APIKeyOnly
File: /Users/simon/misc/trufflehog-datadog-truffles/datadog-us-api-only.py

✅ Found verified result 🐷🔑
Detector Type: DatadogToken
Decoder Type: PLAIN
Raw result: <REDACTED>
Type: Application+APIKey
File: /Users/simon/misc/trufflehog-datadog-truffles/datadog-us.py
Line: 1

2024-02-25T20:18:01Z	info-0	trufflehog	finished scanning	{"chunks": 4, "bytes": 334, "verified_secrets": 2, "unverified_secrets": 2, "scan_duration": "557.51975ms"}

With a custom verifier host:

$ go run . filesystem ~/misc/trufflehog-datadog-truffles/ --verifier datadogToken=https://api.datadoghq.eu
🐷🔑🐷  TruffleHog. Unearth your secrets. 🐷🔑🐷

2024-02-25T20:18:11Z	info-0	trufflehog	configured detector with verification urls	{"detector": "DatadogToken", "urls": ["https://api.datadoghq.eu", "https://api.datadoghq.com"]}
2024-02-25T20:18:11Z	info-0	trufflehog	running source	{"source_manager_worker_id": "IbfYG", "with_units": true}
✅ Found verified result 🐷🔑
Detector Type: DatadogToken
Decoder Type: PLAIN
Raw result: <REDACTED>
Type: APIKeyOnly
File: /Users/simon/misc/trufflehog-datadog-truffles/datadog-us-api-only.py

✅ Found verified result 🐷🔑
Detector Type: DatadogToken
Decoder Type: PLAIN
Raw result: <REDACTED>
Type: APIKeyOnly
File: /Users/simon/misc/trufflehog-datadog-truffles/datadog-eu-api-only.py

✅ Found verified result 🐷🔑
Detector Type: DatadogToken
Decoder Type: PLAIN
Raw result: <REDACTED>
Type: Application+APIKey
File: /Users/simon/misc/trufflehog-datadog-truffles/datadog-us.py
Line: 1

✅ Found verified result 🐷🔑
Detector Type: DatadogToken
Decoder Type: PLAIN
Raw result: <REDACTED>
Type: Application+APIKey
File: /Users/simon/misc/trufflehog-datadog-truffles/datadog-eu.py
Line: 1

2024-02-25T20:18:13Z	info-0	trufflehog	finished scanning	{"chunks": 4, "bytes": 334, "verified_secrets": 4, "unverified_secrets": 0, "scan_duration": "1.693135959s"}

Checklist:

  • Tests passing (make test-community)?
  • Lint passing (make lint this requires golangci-lint)?

Notes on testing

  • I did run make test-community but it failed, for an issue unrelated to this change.
  • I would suggest also updating datadogtoken_test.go here, to also test Datadog credentials from an instance other than the default (api.datadoghq.com), but I think this needs to be done by someone with access to the test secrets in GCP.

@simonwhitaker simonwhitaker marked this pull request as ready for review February 25, 2024 20:28
@zricethezav
Copy link
Collaborator

Hi @simonwhitaker! Thanks so much for opening this PR. This is a shinning example of a community contribution -- great description and the code changes are consistent with other detectors. This PR LGTM!

We really appreciate the video you posted on youtube! It was really insightful to see your process navigating the code and documentation. Thank you for identifying notable gaps in our documentation. We're working on upping our documentation game ;)

@zricethezav zricethezav merged commit 431586c into trufflesecurity:main Feb 28, 2024
8 of 9 checks passed
@simonwhitaker simonwhitaker deleted the simonwhitaker/2265 branch February 29, 2024 18:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

Adding Datadog secrets checks for all regions
2 participants